I’ve recently shifted from installing Istio via Helm to using the new GKE Istio add-on. As far as I can tell, Istio seems to be installed with the K8s addon-manager. I’m attempting to change the service type of the istio-ingressgateway from LoadBalancer to NodePort, as I am fronting it with an L7 load balancer. Every time I attempt to change the service type with kubectl edit svc istio-ingressgateway -n istio-system, the service shortly reverts back to LoadBalancer. As far as I can tell this is expected behavior with any resource labeled with addonmanager.kubernetes.io/mode: Reconcile, but even changing this label to addonmanager.kubernetes.io/mode: EnsureExists or removing it completely doesn’t do the trick. Any help would be greatly appreciated. I’d prefer not to revert to the Helm installation, but can if completely necessary.
Anything installed via the addon manager with addonmanager.kubernetes.io/mode: Reconcile can’t be modified. This includes changing that attribute. (These resources are actually yaml files on disk on the master and they are re-applied every x seconds.)
Should the documentation at https://istio.io/docs/ops/app-health-check/#enable-via-helm-option-globally be updated to mention this restriction?
Also there should be a way to globally set this flag, instead of using permissive which is less secure or having to annotate each pod. Is there an issue open for this?
@ostromart may be able to help
It doesn’t belong in the istio.io documentation because it’s an internal behavior for Istio on GKE as addon only. We do explain the reconcile behavior in the public docs but deliberately don’t mention the means through which this is implemented because it’s too low level and not anything that users can change or do something about anyway.